cf574f0a18
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1136 CVE: CVE-2018-12182 Customer met system hang-up during serial port loopback test in OS. It is a corner case happened with one CPU core doing "out dx,al" and another CPU core(s) doing "rep outs dx,byte ptr [rsi]". Detailed code flow is as below. 1. Serial port loopback test in OS. One CPU core: "out dx,al" -> Writing B2h, SMI will happen. Another CPU core(s): "rep outs dx,byte ptr [rsi]". 2. SMI happens to enter SMM. "out dx" (SMM_IO_TYPE_OUT_DX) is saved as I/O instruction type in SMRAM save state for CPU doing "out dx,al". "rep outs dx" (SMM_IO_TYPE_REP_OUTS) is saved as I/O instruction type and rsi is save as I/O Memory Address in SMRAM save state for CPU doing "rep outs dx, byte ptr [rsi]". NOTE: I/O Memory Address (rsi) is a virtual address mapped by OS/Virtual Machine. 3. Some SMM code calls EFI_SMM_CPU_PROTOCOL.ReadSaveState() with EFI_SMM_SAVE_STATE_REGISTER_IO and parse data returned. For example: https://github.com/tianocore/edk2/blob/master/QuarkSocPkg/ QuarkNorthCluster/Smm/DxeSmm/QncSmmDispatcher/QNC/QNCSmmSw.c#L76 4. SmmReadSaveState() is executed to read save state for EFI_SMM_SAVE_STATE_REGISTER_IO. - The SmmReadSaveState() function in "UefiCpuPkg/PiSmmCpuDxeSmm/PiSmmCpuDxeSmm.c" calls the SmmCpuFeaturesReadSaveStateRegister() function, from the platform's SmmCpuFeaturesLib instance. - If that platform-specific function returns EFI_UNSUPPORTED, then PiSmmCpuDxeSmm falls back to the common function ReadSaveStateRegister(), defined in file "UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c". Current ReadSaveStateRegister() in UefiCpuPkg/PiSmmCpuDxeSmm/SmramSaveState.c is trying to copy data from I/O Memory Address for EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX, PF will happen as SMM page table does not know and cover this OS/Virtual Machine virtual address. Same case is for SmmCpuFeaturesReadSaveStateRegister() in platform- specific SmmCpuFeaturesLib instance if it has similar implementation to read save state for EFI_SMM_SAVE_STATE_REGISTER_IO with EFI_SMM_SAVE_STATE_IO_TYPE_REP_PREFIX. Same case is for "ins", 'outs' and 'rep ins'. So to fix the problem, this patch updates the code to only support IN/OUT, but not INS/OUTS/REP INS/REP OUTS for SmmReadSaveState(). Cc: Eric Dong <eric.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
EDK II Project
A modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications from www.uefi.org.
The majority of the content in the EDK II open source project uses a BSD-2-Clause Plus Patent License. The EDK II open source project contains the following components that are covered by additional licenses:
- BaseTools/Source/C/BrotliCompress
- MdeModulePkg/Library/BrotliCustomDecompressLib
- BaseTools/Source/C/LzmaCompress
- MdeModulePkg/Library/LzmaCustomDecompressLib
- IntelFrameworkModulePkg/Library/LzmaCustomDecompressLib/Sdk
- BaseTools/Source/C/VfrCompile/Pccts
- EdkCompatibilityPkg/Other/Maintained/Tools/Pccts
- MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma
- OvmfPkg
- CryptoPkg/Library/OpensslLib/openssl
The EDK II Project is composed of packages. The maintainers for each package are listed in Maintainers.txt.
Resources
- TianoCore
- EDK II
- Getting Started with EDK II
- Mailing Lists
- TianoCore Bugzilla
- How To Contribute
- Release Planning
- UDK2017
- UDK2018
- edk2-stable201811
Code Contributions
To make a contribution to a TianoCore project, follow these steps.
-
Create a change description in the format specified below to use in the source control commit log.
-
Your commit message must include your
Signed-off-bysignature -
Submit your code to the TianoCore project using the process that the project documents on its web page. If the process is not documented, then submit the code on development email list for the project.
-
It is preferred that contributions are submitted using the same copyright license as the base project. When that is not possible, then contributions using the following licenses can be accepted:
- BSD (2-clause): http://opensource.org/licenses/BSD-2-Clause
- BSD (3-clause): http://opensource.org/licenses/BSD-3-Clause
- MIT: http://opensource.org/licenses/MIT
- Python-2.0: http://opensource.org/licenses/Python-2.0
- Zlib: http://opensource.org/licenses/Zlib
For documentation:
- FreeBSD Documentation License https://www.freebsd.org/copyright/freebsd-doc-license.html
Contributions of code put into the public domain can also be accepted.
Contributions using other licenses might be accepted, but further review will be required.
Developer Certificate of Origin
Your change description should use the standard format for a
commit message, and must include your Signed-off-by signature.
In order to keep track of who did what, all patches contributed must include a statement that to the best of the contributor's knowledge they have the right to contribute it under the specified license.
The test for this is as specified in the Developer's Certificate of Origin (DCO) 1.1. The contributor certifies compliance by adding a line saying
Signed-off-by: Developer Name developer@example.org
where Developer Name is the contributor's real name, and the email
address is one the developer is reachable through at the time of
contributing.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Sample Change Description / Commit Message
From: Contributor Name <contributor@example.com>
Subject: [Repository/Branch PATCH] Pkg-Module: Brief-single-line-summary
Full-commit-message
Signed-off-by: Contributor Name <contributor@example.com>
Notes for sample patch email
- The first line of commit message is taken from the email's subject
line following
[Repository/Branch PATCH]. The remaining portion of the commit message is the email's content. git format-patchis one way to create this format
Definitions for sample patch email
Repositoryis the identifier of the repository the patch applies. This identifier should only be provided for repositories other thanedk2. For exampleedk2-BuildSpecificationorstaging.Branchis the identifier of the branch the patch applies. This identifier should only be provided for branches other thanedk2/master. For exampleedk2/UDK2015,edk2-BuildSpecification/release/1.27, orstaging/edk2-test.Moduleis a short identifier for the affected code or documentation. For exampleMdePkg,MdeModulePkg/UsbBusDxe,Introduction, orEDK II INF File Format.Brief-single-line-summaryis a short summary of the change.- The entire first line should be less than ~70 characters.
Full-commit-messagea verbose multiple line comment describing the change. Each line should be less than ~70 characters.Signed-off-byis the contributor's signature identifying them by their real/legal name and their email address.